Closed jpenglert closed 10 months ago
I will submit a PR
If an instance of
UserImpl
is constructed using the default constructor
@jpenglert this should not be done by user code. The default constructor is only present because it is required for ClusterSerializable
implementations.
@tsegismont understood that an instance of UserImpl
should not be constructed using the default constructor by user code. However, is there any harm in updating the deserializing code to be more robust by handling null
fields like the serializing code does?
The problem is UserImpl
makes checks (like create a User
without providing a principal) that the change allows to circumvent.
My opinion is VertxProfileManager
in Pac4j shouldn't invoke an internal constructor in UserImpl
. Instead, it should one of the creation methods in the User
interface.
@tsegismont I made a PR for vertx-pac4j
but that project looks pretty dead. If you know anyone over there maybe you could ping them?
Seems like vertx-pac4j
may need to do a more in-depth re-work such that instead of extending UserImpl
with Pac4jUser
they use the io.vertx.ext.auth.authorization.Authorization
interface instead?
@jpenglert sorry, I don't know any maintainers personally and I'm not familiar with vertx-pac4j
Have you tried to look at the GH profile of the committers? Maybe someone shares an email address?
@tsegismont no worries...one of the committers responded and merged my PR. Thanks again for your help on how to resolve this.
Version
4.4.4
UserImpl
has a default constructor which does not initialize itsauthorizations
,attributes
, orprincipal
fields. TheUserConverter
class expectsUser
to return a non-null value for those fields. If an instance ofUserImpl
is constructed using the default constructor and then later on serialized (since it implementsClusterSerializable
) and then deserialized it will result in a NPE when it delegates serialization toUserConverter
becauseUserConverter
does not perform a null check on the fields it's decoding from the givenJsonObject
.I encountered this with the
Pac4jUser
class fromorg.pac4j:vertx-pac4j
which extendsUserImpl
and implements the default constructor which leaves all the fieldsnull
. TheVertxProfileManager
fromorg.pac4j:vertx-pac4j
uses thePac4jUser
default constructor.Seems like
UserConverter
should check fornull
on all fields before attempting to deserialize it.Do you have a reproducer?
Steps to reproduce
Extra
Related to https://github.com/eclipse-vertx/vertx-auth/issues/637